Tofinosecurity.com uses cookies for analytics and functionality purposes.
To change your cookie settings or find out more, click here.
If you continue browsing our website or close this banner, you accept these cookies.

Unfortunately, I think even the phrase “installing all needed patches” is too optimistic. In my surveys of SCADA and ICS facilities, I find that even when operating system patches are getting installed, application patches are not. For example, many HMIs are running copies of Abode PDF Reader that haven’t been patched in years. Considering that Adobe has released over 30 critical security patches for Reader in the past three years, this is a gaping security hole.

Clearly security vulnerabilities aren’t just an operating system problem. And they are not just a business application problem. We saw the number of publicly disclosed security vulnerabilities for SCADA and ICS products jump dramatically in 2011. For 2012, all indications are that the situation will be worse. Many of these vulnerabilities are not on Windows computers, but rather critical hardware such as PLCs, DCS controllers, RTUs, switches, routers and even firewalls!

Personally, I blame the discovery of Stuxnet in July 2010 and the media attention it attracted for SCADA products. The quality of SCADA and ICS products didn’t suddenly get worse in 2011. The vulnerabilities were always there. Stuxnet just woke up security researchers to the relative ease of exploiting automation devices.

The trend of increasing SCADA/ICS public disclosures has caused a lot of difficulty for vendors. Some of them, such as our sister company GarrettCom have been credited by researchers as being proactive1 in dealing with the situation. Others, such as Advantech, have been a case study on how to not work with your customer base or ICS-CERT to address issues.

We have a Patch – Now What?

But even for the most responsive vendors, the problem does not go away when the patch is released. Many operators simply fail to implement the patches. We have consistently heard from end-users how difficult it is to apply security updates to industrial control products. The demands of continuous production, stringent safety/regulatory requirements or widely distributed devices can make patching a nightmare. As much as we would like it to be different, patching in SCADA and ICS is a slow and scattered practice.

Tofino Security Profiles – An Alternative to ICS/SCADA Patching

During the early years of Tofino Security, we were asked by a major food company if Tofino could help them solve a patching problem they were facing. They had a large installation of Windows NT servers that could not be decommissioned because some critical software only ran on this old operating system. Yet Microsoft had ended support for NT, so there were no patches available.

At the time, we were not able to solve the issue, but it got us thinking. Could we use Tofino as a proxy for the direct patching of the PLC or RTU? It has taken a while, but now we can answer YES. Tofino Security Profiles is a new feature included in the 1.7 version of the Tofino Industrial Security Solution. It allows the loading of special rule sets that can be used to detect and block attempts to exploit known vulnerabilities in a product.

Critical Infrastructure such as power transmission could be interrupted if a publically disclosed vulnerability is exploited. Tofino Security Profiles provide a simple way to mitigate against such a vulnerability.

Security Profiles are a Simple Way to Protect Industrial Networks

A Tofino Security Profile is a collection of firewall rules and protocol definitions designed to address a specific vulnerability for a specific product. It can include complex checks (such as text searches for the attempted use of a default password), that a traditional firewall cannot achieve.

The Security Profiles are created as a joint effort between the affected vendor and the Tofino Security team, and then distributed to control system customers. Then users simply import the new Security Profile into their Tofino Security Appliances and assign them to protect the vulnerable devices.

Operators benefit from receiving a single, easy-to-deploy package of tailored rules that can be installed without impacting operations. Users can also check the new rules using Test Mode before they actually start blocking traffic. The result is that industrial facilities can defend themselves against new threats without having to rely on patches for their PLCs and switches.

Security Profiles do not Counteract Every Vulnerability

It is important to understand that Security Profiles are not the silver bullet to solve all security issues. For example, vulnerabilities that involve encrypted sessions (such as HTTPS) cannot be addressed with special firewall rules, because the firewall can’t typically decrypt and inspect the traffic. But for a large number of the PLC and DCS vulnerabilities we have seen, the technique works well.

Making Security Simple

It is my belief that in order to improve industrial security we need to make the processes and technologies related to security simple. Security Profiles is one way we do that with Tofino. Other aspects involve utilizing best practices such as Defense in Depth, and focusing on securing key assets.

What are your thoughts? How does your company implement security-related updates?

1 Listen to the comments about GarrettCom at these times in the video: 10:03, 17:34

I agree with the content of this post, but some of the education may be misleading. It's true that keeping your network up to date is time consuming, but I would not conclude that you can give up patching. You correctly mention "defense in depth" at the end of the article. The Tofino security device can be an economical means of improving your "low hanging fruit" problems. I believe that it takes a deliberate (simple) architecture to be able to maximize your benefits from a perimeter device. In the industrial space I'm referring to segmenting PLC/HMI/SCADA networks from user networks. The more difficult part to get right is defense at the host level. Most of the nasty malware you wrote about spread by USB drives, spread from host to host within a network (behind the perimeter defense devices), or were clicked on by the weakest link (users) such as email attachments.

I believe that it will take a level of effort and resources to protect from sophisticated malware. The advice in this post is a great start, though!

Thanks for the comment. I completely agree that this is not an alternative to patching. Everyone - please patch if you possibly can! And please patch the applications and not just the OS.

Now my point in this blog was that patching alone is not working, so we better get a few more tools in the tool box. We hope Tofino Security Profiles will be a useful one, especially in cases where there simply is no patch available (legacy PLCs for example), or when shutting down a controller to install a patch isn't an option (SIS for example).

Yes – Tofino’s focus is to deal with the vulnerability rather than specific exploits. We find that it is too easy for the attacker to slip in a few NOPs into the attack string and make it look different to the IDS.

We also try to avoid signatures if at all possible and go after the heuristics of the vulnerability. For example, if a PLC has a number of known buffer overflow vulnerabilities over Modbus, then we don’t care much about the specific public vulnerabilities, as we are willing to bet there are others still to be found (for example of this, see More SCADA Security Threats: Where There’s Smoke, There’s Fire). Instead we deploy rules that enforce checks on all the lengths of any field that could be used for a buffer over flow on that product.

Now these length rules might be a bit harsh for other non-affected products, so this is where the “profiles” come in. We allow the user or vendor to associate specific rules against traffic going to a specific product. Thus we don’t have to run all network traffic through every possible rule. This greatly improves performance, something that really matters in the SCADA/ICS world.

I concur 100% with Eric here, and based on extensive field assessment and analysis data from users in multiple sectors spanning multiple ICS vendors, find that of those that implement a Patch Management Program (and this is not the majority of those reviewed!) consider Patch Management as their primary security control. I know we all agree that you must patch your COMPLETE ICS system - incuding firmware, ICS applications, third-party client applications, network appliances, packaged equipment (e.g turbine controllers, BMS systems, condition monitoring, asset management ... and on and on). However, if you shift your security approach from standards- or compliance-based to risk-based you will quickly discover that there are so many more effective controls that provide greater risk reduction both in terms of vulnerability exploitation and the resulting consequences.

In closing, remember that there are many industries where patching just is not practical (pharma, offshore O&G, F&B, etc.) and in these cases we have implemented very strong security through other means.

I was so focused on getting a point across that I forgot to congratulate Eric and the entire team for releasing another unique, "game changing" solution to help better secure ICS architectures. In 2011, I demonstrated some of my research on how I would deploy intrusion monitoring techniques within the ICS networks to specially address ICS attack vectors and vulnerabilities. The Tofino Security Profiles have enormous benefit and use potential when you look at how hard it is to protect endpoints like PLCs that typically have few security controls that can be directly used.

I can't wait to get a hold of some of these Profiles and incorporate them into my training material!